COMPUTER FORENSICS JUMPSTART VOL.3

Dear eForensics Readers!

I am glad to say that our successful JumpStart Series is continuing into a third volume!
As with the previous volumes, we trust you would be able to update your skills with this volume and also help you with your career.
More than 200 pages presents an easy readable and practical, theoretical approach to digital forensics science. For better understanding of this edition, I suggest you have a look at our previous Volumes and Preparation Stage.
In addition to a few forensic tutorials, step-by-step articles and need-to-know information, we also discuss Windows OS and some well-known forensic tools. An interview with Nanni Bassetti, who is the project manager of C.A.I.N.E. Linux, reflects on a few interesting data gathering perspectives.

As usual, we’re open to your suggestions and ideas.
Your opinion is extremely important for our authors and editors.

Check what you can find inside:

THE WINDOWS FORENSIC ENVIRONMENT
by Brett Shavers
The Windows Forensic Environment, also known as Windows FE or WinFE, is a Windows operating system that can be booted from external media such as a CD, DVD, or USB flash drive. Windows FE is based on Windows PE, which is a minimal Windows operating system with limited services, used to prepare a computer for Windows installation, among other tasks related to Windows. The main, and of course most important, difference between Windows FE and Windows PE, is that Windows FE forensically boots a computer system whereas Windows PE does not. What makes WinFE different from non-Windows based forensic boot systems is that with WinFE, the forensic examiner can use almost all of their favorite Windows based software tools, rather than Linux applications.

EXAMINING GOOGLE CHROME ARTIFACTS
by David Biser
The Internet has grown by leaps and bounds over the course of its existence. There are millions upon millions of users who are browsing the Internet on a daily basis. Some of these are good, some of these are ugly and some of these are just plain old bad! Amongst those who are browsing the Internet are the good guys, who are seeking to enforce the law and conduct digital investigations in order to stop the bad things from happening on the Internet. One major program that these digital investigators can turn to in order to locate evidence is Google Chrome!

EMAIL EDISCOVERY IN A MICROSOFT WORLD
by Eric Vanderburg
Microsoft Exchange provides email services for organizations and enterprises in many companies. In fact, it is the dominant player in this space. eDiscovery efforts often focus on email messages and their associated attachments in litigation and Microsoft has built in preservation, searching and review features into their product to ease the burden of eDiscovery efforts. This article explains the features Microsoft provides out of the box and how organizations can use these features.

IMAGING WITH X-WAYS FORENSICS
by Brett Shavers
You probably know a lot about creating forensic images. You may have even created hundreds, or thousands, of forensic images during your career. But, have you imaged with X-Ways Forensics? If not, you will be surprised at the options available to image using X-Ways Forensics that do not exist with other software or hardware imaging solutions. In fact, you will be most likely be excited enough to try X-Ways Forensics just for its imaging ability after reading this article. For starters, did you know that X-Ways Forensics is more than twice as fast as other forensic tools? Trust me when I say that imaging with X-Ways Forensics is just plain neat.

THREAT HUNTING AND CORPORATE INVESTIGATIONS WITH SIEM TECHNOLOGY
by Filip Nowak
How to handle modern threats and corporate espionage with next generation, integrated solutions? Security Operations Centers have technology, such as SIEM (Security Information and Event Management), NGTP (Next Generation Threat Protection), and incident response processes to detect, mitigate and remediate potential danger to any organization.

STEP-BY-STEP TO ASSESS IT SYSTEM CONTROLS
by Kevin M. Moker
Risk management is a discipline that covers many areas. There is financial risk, operational risk, strategic risk, and compliance risk to name a few. Information Technology (IT) poses its own risk to the organization, but what is IT risk? Why should you care about IT risk? How do I measure IT risk? It has been said, “What gets measured, gets done.” Lets look at how to conduct an IT risk assessment from policy to assessment questions to actual compliance measurements against the information security policies. The number one goal is to be able to know if you’re in compliance with your information security policies. This is just one strategy to get there.

LOGIC BOMBS
by Krystina Horvath
In this article, you will learn about logic bombs. Logic bomb structure, attack methods and consequences will be detailed and examples of recent logic bombs will be discussed.

INTRUSION DETECTION USING A VIRTUAL MACHINE ENVIRONMENT
by Niranjan P. Reddy
Malware attacks against single hosts and networks are extremely dangerous and could compromise the security of the entire network. Protection from malware is one of the top worries for system administrators who have to ensure that there are no unnecessary threats to their systems. These threats can cause an adverse effect on a running business or some other mission critical operations. Over the past few years intrusion detection and other security measures have gained critical importance in the fight against malware. Selecting the right IDS is the key to mitigate malware attacks. This article discusses an attempt to create a more robust IDS while mentioning the limitations of traditional detection systems.

A DIGITAL FORENSICS CASE STUDY USING AUTOPSY
by Pujan Shah
Every day we need to validate digital information, especially in law and business. As physical reality is replaced with virtual reality, establishing the data validity and data sources requires new technology. Digital criminals take advantage of difficulties validating data, to commit fraud. Our job is to defend truth and fight crime.
The following case study reveals common aspects of forensics studies such as analyzing files, viewing Internet artifacts, recently used files, attached devices from Registry and Email Analysis. We also discuss a few investigation processes regarding data collection from nonvolatile memory storage.

THE INTERVIEW WITH NANNI BASSETTI, C.A.IN.E. LINUX FORENSIC DISTRO PROJECT MANAGER, FOUNDER OF CFI – COMPUTER FORENSICS ITALYUSB AND LNK FILE ANALYSIS

by Eric Vanderburg

Data moves so easily and freely between computers and devices, especially today with the inexpensive price of storage devices like flash drives and external Universal Serial Bus (USB) storage. Not only may data exist on a machine or in the cloud, but on many removable devices as well. It is tough for the average person to keep track of all this data. It is even more important for the forensic investigator to understand the role and value Link (LNK) files and USB devices have as evidence. This data can be helpful when trying to determine if sensitive data has been removed from a facility or if data relevant to a case is present on removable media that might need to be obtained my attorneys.

HOW TO ANALYZE A TRAFFIC CAPTURE
by Javier Nieto Arevalo
We live in an era where the signature-based Antivirus has less sense if we want to fight against hackers who are creating customized malware only for their targets. This malware is commonly known as Advanced Permanent Threat (APT) and it’s really interesting to research where the host was infected, the connections back to the Command and Control server to get the instructions and evaluate the damage of the malware. Sometimes it is easier to detect infected hosts in the networks if we analyze the network traffic than using an Antivirus running on the host.

CASE STUDY – INVESTIGAING A NIGERIAN WEBMAIL AND E-BANKING PHISHING ATTACK
by Gilad Ofir & Dvir Levi
In today’s world, as we all use email for practically everything, from talking to friends, colleagues, bosses, business partners, etc. However, like every good thing, it can be abused by spammers and hackers, and infect is. Since we all use it, it’s important to understand the security issue that rises when ones e-mail is targeted for spamming.

NETWORK FORENSICS
by Rizwan Khan, CISSP, CFCE
Network Forensics is a branch of digital forensics which relates to the analysis of network traffic for the purpose of gathering evidence of network tampering, intrusion, evidence of criminal activity or general information gathering. Network forensics is a comparatively new field of forensic science. Depending upon the type of case, network forensics can add value to computer forensics cases and help identify digital devices operating on the network.

IPV6 SECURITY
by Satinder Sandhu
Predictions about when the world will end are as consistent as the predictions that when IPv4 internet addresses will finally run out, but some IT security professionals say that it is the least of our worries. A much bigger concern, they say, should be the security holes that will open up in many business organizations as the world moves over to internet protocol version six (IPv6). In this article we are going to discuss and execute the techniques and methodologies which can make the future of internet …. INSECURE !!

HOW TO INVESTIGATE CRIMINAL CASES AS A CIVILIAN DIGITAL FORENSICS INVESTIGATOR
by Larry Smith
I spent a quarter of a century in law enforcement. During that time I was assigned to the Internet Crimes Against Children (ICAC) detail of the Las Vegas Police Department as a digital forensics examiner and later as an examiner in the Electronic Crimes Unit. The job consisted of the digital examinations of computers and cell phones as well as many other digital devices.
On the law enforcement side your thought process is to get the data off of the device and present it to the prosecuting attorneys or the detective assigned to the case, using whatever tools you have at your disposal.

INTRODUCTION TO WINDOWS FORENSICS USING PARABEN P2 COMMANDER
by Dauda Sule, CISA
Microsoft Windows is the most widely used operating system both for business and personal use. Such popularity has made it one of the most targeted operating systems by malicious attackers. As a result, it is often used as a platform to access personal and work place data , or even to commit policy breaches assisting in the commission of criminal acts. Investigations that are based on electronic evidence stand a very high chance of being carried out on a system with one or the other version of Windows operating system. It is therefore one of the most important operating systems anyone going into the field of cyber forensics will need to know how to investigate.

ORACLE LABEL SECURITY
by Robert Vanaman, M.S.
In the 21st century, we have witnessed a tectonic shift in how personal privacy, wealth, and trust are violated. Cyber criminals have infiltrated all aspects of society’s newest infrastructure: the information technology grid. This paradigm of cybernetic treachery has ceased to be relegated to a mere future concern. Combating this threat is Oracle’s Label Security (OLS); it reigns as the gold standard for database security within an Oracle database environment.

COMPUTER FORENSICS: IMAGES AND INTEGRITY
by Frederick S. Lane
There are few concepts more important to the field of computer forensics than cryptographic hash values. Understanding what they are, how they are calculated, and how they are used by law enforcement is a critical part of effectively defending a criminal case that involves digital evidence.

MY TWO BITS ON DIGITAl FORENSIC INVESTIGATIONS!
by René Hamel
The Forensic Technology area of expertise has been around for quite a few years now. The name evolved from a variety of specialized area including “High Tech Crime”, “Digital Electronic Investigations”. “Digital Forensics” and sometimes “IT Crime Investigations” to name a few.